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Period for Reply 

A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) OR THIRTY (30) DAYS, 
WHICHEVER IS LONGER, FROM THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1.136(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

- If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 

- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S.C. § 1 33). 
Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent term adjustment. See 37 CFR 1.704(b). 

Status 

1 )S Responsive to communication(s) filed on 05 January 2006 . 
2a)S This action is FINAL. 2b)D This action is non-final. 

3) D Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD. 1 1 , 453 O.G. 213. 

Disposition of Claims 

4) ^3 Claim(s) 1-21 is/are pending in the application. 

4a) Of the above claim(s) 22-34 is/are withdrawn from consideration. 

5) D Claim(s) is/are allowed. 

6) E3 Claim(s) 1-21 is/are rejected. 

7) D Claim(s) is/are objected to. 

8) D Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) D The specification is objected to by the Examiner. 

10)13 The drawing(s) filed on 12/21/2001 is/are: a)D accepted or b)K objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1 .85(a). 

Replacement drawing sheet(s) including the correction is required if the drawing(s) is objected to. See 37 CFR 1 .121(d). 
11 )□ The oath or declaration is objected to by the Examiner. Note the attached Office Action or form PTO-152. 

Priority under 35 U.S.C. § 119 

12)D Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 1 19(a)-(d) or (f). 
a)D All b)D Some * c)Q None of: 

1 .□ Certified copies of the priority documents have been received. 

2.D Certified copies of the priority documents have been received in Application No. . 

3-D Copies of the certified copies of the priority documents have been received in this National Stage 
application from the International Bureau (PCT Rule 17.2(a)). 
* See the attached detailed Office action for a list of the certified copies not received. 
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DETAILED ACTION 



Election/Restrictions 



1. 



Applicant's election without traverse of claims 1-21 in the reply filed on 



01/05/2006 is acknowledged. 



2. 



Claims 1-21 have been examined. 



Drawings 



3. Figure 1 should be designated by a legend such as -Prior Art- because only 
that which is old is illustrated. See MPEP § 608.02(g). Corrected drawings in 
compliance with 37 CFR 1 .121(d) are required in reply to the Office action to avoid 
abandonment of the application. The replacement sheet(s) should be labeled 
"Replacement Sheet" in the page header (as per 37 CFR 1 .84(c)) so as not to obstruct 
any portion of the drawing figures. If the changes are not accepted by the examiner, the 
applicant will be notified and informed of any required corrective action in the next Office 
action. The objection to the drawings will not be held in abeyance. 



4. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 1 02 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 



Claim Rejections - 35 USC § 103 
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5. Claims 1-21 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Togawa U.S. Patent No. 6,240,530, and further in view of Drake U.S. Patent No. 
6,006,328. 

6. Togawa teaches a system for the detection and removal of computer malware. 

7. Togawa fails to teach explicitly searching for observer programs as part of that 
malware. 

8. Drake teaches security methods to protect against attacks by malicious software 
such as eavesdropping malware. 

9. It would have been obvious to one of ordinary skill in the art at the time of the 
applicant's invention to combine the system of Drake with that of Togawa for the 
advantages of improved security by adding the features of protection against such 
malicious activities as eavesdropping to the ability of the scanning system as described 
by Togawa. 

10. It is desirable within any computer system to maintain the security and integrity of 
such a system while preventing damage to the data and components included therein. 
Drake teaches protection of the client computer system against malicious software as 
does Togawa. Although each system teaches protection against a different type of 
malware by way of scanning the computer system, protecting against all forms of 
malware is desirable. (Drake Col 3 lines 30-52) 

1 1 . Regarding Claims 1 and 21 : Observer program data characteristics descriptive 
of a plurality of observer programs where the observer programs are programmed to 
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observe activities on a computer system and to create log data. (Togawa Fig 1 .s1 , Col 5 
lines 10-19 Drake Fig 4,5 Col 3 lines 31-52) As it is understood the detection of a virus 
and its type as within Togawa requires recognition of characteristics of a virus. Those 
characteristics residing within the computer systems various components as any 
particular virus infects that system; so then the same is true within the combined system 
for the detection of an observer program as defined by Drake. 

Obtain memory data of the computer by using computer instructions (Togawa Fig 1 , Col 
8 lines 14-30) As explained above the detection of the malware requires checking the 
system which is inclusive of the memory data; therefore in order for the functionality to 
proceed it must in some way obtain such data for scanning. 

Comparing memory data with observer program data characteristics for detection of an 
observer program (Col 8 lines 14-30) As it is known within the art virus scanning is the 
process of comparing two such sets of data. Further within the combined system the 
observer program characteristics are included within the set of the compared traits. 
Generating a result of whether an observer program is present (Fig 1, Fig 3-4 Col 5 
lines 10-38) Detection denotes that a result is generated as to the response of the 
scanning process. 

Presenting results through a GUI (Fig 3-4, Col 5 lines 39-50, Col 13 lines 8-55, Col 14 
lines 18-25) As denoted the display performs functions of disseminating operational 
information which is in a graphical form and presented within an OS that the user is 
capable of interacting with. 
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12. Regarding Claims 2 and 3: Memory data includes startup and registry startup 
commands (Col 8 lines 14-30, Col 13 lines 19-56) As stated the memory contains all 
necessary information for the processes of the machine; these processes being 
inclusive of starting up necessary portions for operation thereof; such as the OS which 
includes a registry and the virus detection that being its own implementation scans the 
memory that these commands are located within. 

13. Regarding Claims 4 and 5: Observer program characteristics include observer 
import/export table data for comparison with memory import/export table data to 
determine the presence of an observer program (Col 8 lines 14-30, Col 13 lines 19-56) 
As explained above all of the common features of the memory and functionality of the 
system are scanned via the anti-malware system. 

14. Regarding Claim 6: Observer program characteristics include observer resource 
data for comparison with memory resource data to determine the presence of an 
observer program (Col 8 lines 14-30, Col 13 lines 19-56) 

15. Regarding Claim 7: Observer program characteristics include observer file 
content data for comparison with memory file content data to determine the presence of 
an observer program (Col 8 lines 14-30, Col 13 lines 19-56) Additionally, as is shown 
and well known within the art file content is compared to malware characteristics for 
detection of such programs located commonly in such a place. 

16. Regarding Claim 8: The comparing instruction compare the observer file content 
data with memory file content data at an offset address (Fig 1 , Fig 3-4, Col 5 lines 10- 
20, Col 13 lines 19-56) The process of scanning for malware is inclusive of the entire 
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range of memory; therefore the process must offset the data being scanned by that 
which has already been. 

17. Regarding Claim 9: The comparing instruction compare the observer file content 
data with a span of the memory file content data identified by an offset address (Fig 1 , 
Fig 3-4, Col 5 lines 10-20, Col 13 lines 19-56) The process of scanning for malware is 
inclusive of the entire range of memory; therefore that which is scanned is a span of 
memory that is offset by the amount previously scanned. 

18. Regarding Claim 10: Observer program characteristics include observer module 
loading data for comparison with memory module loading data to determine the 
presence of an observer program (Col 5 lines 10-20, Col 13 lines 19-56) 

1 9. Regarding Claim 1 1 : Observer program characteristics include OS observing 
functions for comparison with memory functions from the memory data to determine the 
presence of an observer program (Col 5 lines 10-20, Col 13 lines 19-56) 

20. Regarding Claim 12: Memory data includes explorer extension data (Col 13 lines 
19-56) 

21. Regarding Claim 13: Memory data includes file use information (Col 13 lines 19- 
56) 

22. Regarding Claim 14: Memory data includes process information (Col 13 lines 
19-56) 

23. Regarding Claim 15: Memory data includes running process information (Col 13 
lines 19-56) 
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24. Regarding Claim 16: Memory data includes loaded module information (Col 13 
lines 19-56) 

25. Regarding Claim 17: Memory data includes driver data (Col 13 lines 19-56) 

26. Regarding Claim 18: Memory data includes kernel driver data (Col 13 lines 19- 
56) All of the above stated separate memory data components are included within any 
resident memory of a common computer system that a system such as the combination 
of Togawa and Drake would be implemented upon. 

27. Regarding Claims 19 and 20: Instruction to disable an observer program if 
present (Fig 1 , Fig 1 0, Col 5 lines 1 0-50, Col 1 9 line 1 5 - Col 20 line 65) 
Entering a startup command to load a kill program before the observer program is 
started (Fig 10, Col 19 line 15 - Col 20 line 65) As shown within the figure the system 
clears the memory then loads a secondary extermination routine, inclusive of the 
secondary OS and associated extermination routine, so that the observer program is 
not reloaded and instead the kill program is loaded and executed. 

Rebooting the computer (Fig 1, Fig 10) As it is shown after the detection and initial 
clearing of memory the system must be rebooted with a separate non-infected operating 
system to further allow for the deletion of any other virus elements. 
Starting the kill program by execution of the startup command (Fig 10, Col 19 line 15 - 
Col 20 line 65) As explained above the kill program is loaded at startup so the virus 
may not load. 
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Deleting the observer program startup command and files (Fig 10, Col 19 line 15 - Col 
20 line 65) The process of clearing the memory as stated within the cited lines and 
exterminating the malware is the process of deleting the startup command. 



Response to Arguments 

28. Applicant's arguments filed 1/05/2006 have been fully considered but they are 
not persuasive. 

29. In response to the applicant's argument of prior art labels for figures 1 and 2, the 
examiner withdraws the requirement for figure 2 as it can be seen that such a figure 
may be unique to the applicant's discussion. However, with regard to figure 1 the 
objection is maintained because only that which is old is illustrated. Figure 1 clearly 
depicts a low level block diagram of a typical computing system within the art, which is 
well-known and thus requires a prior art legend. 

30. In response to the applicant's argument of the combined reference failing to 
show "observer data comprising a plurality of observer program characteristics 
descriptive of a variety of observer programs...", Togawa clearly teaches data that is 
representative of characteristics of virus programs and when combined with the 
teachings of Drake incorporates observer programs into the Togawa system and thus 
provides for this limitation. Togawa states (Col 5 lines 9-15) "...memory for storing 
programs and data for information processing and a processing section for executing 
the programs to perform various information processing, comprising a virus detection 
and identification section for detecting a computer virus.... and identifying a type of the 
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detected computer virus..". The recitation by Togawa of identifying a type of virus 
clearly anticipates program characteristics. Type as defined is "A number of things 
having in common traits or characteristics that distinguish them as a group or class", 
as it can be seen Togawa clearly provides for a manner of identification of types of 
programs or programs with variable characteristics thus providing for recognition of data 
that consists of a plurality of program characteristics. Furthermore, it is an inherent 
functionality within such a program to provide for the comparison of known 
characteristics of malware with the data being scanned in order to identify the programs. 
For further reference see Togawa Col 10 lines 25-67. 

31 . The applicant has argued further that the limitation "...the observer programs are 
programmed to observe activities on a computer system and to create log data." is not 
taught by the combined reference. The teachings of Drake within the combination 
clearly anticipates such observer programs. The applicant states that "rogue software 
eavesdropping" and "anti-spy techniques" does not teach or suggest observer 
programs, but from the definition of Drake of rogue software such programs are clearly 
anticipated. See Drake abstract, Col 1 lines 45-67, Col 2 lines 1-18, 18-32. Drake 
recites many different types of observer programs as being rogue software and further 
teaches that such programs monitor, steal, and store data of the resident computer, 
thus anticipating observer programs and creating log data. 

32. In response to the applicant's argument of the limitation "comparing instructions 
that compare the plurality of observer program characterisitics with memory data 
characteristics to determine whether an observer program is present on the computer." 



Application/Control Number: 10/027,714 Page 10 

Art Unit: 2134 

Drake provides for virus detection of viruses that are resident within the computer 
system being scanned, such viruses are logically located in the memory of said 
computer system and the provided virus check program inherently performs a 
comparison of memory data and observer program characterisitics as the inherent 
nature of such a program dictates within the combination. See Togawa Fig 2, 5, 12, 14, 
Col 10 lines 33-37, 38-67, Col 16 lines 55-67. Togawa provides for detection of 
memory resident viruses and observer programs within the combination and wherein 
the steps of clearing memory are taken and files are restored additional detection and 
removal of malware within those files, see Togawa Col 8 line 10- Col 10 line 67. 

33. Regarding the applicant's argument of Malware as used within the office action. 
Togawa clearly teaches the detection of a type of malware (viruses) and in combination 
with Drake clearly anticipates all malware (Drake Col 1 lines 45-67, Col 2 lines 1-32). 

Conclusion 

34. THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of 
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the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the mailing date of this final action. 

35. The prior art made of record and not relied upon is considered pertinent to 
applicant's disclosure. Applicant is reminded that in amending in response to a rejection 
of claims, the patentable novelty must be clearly shown in view of the state of art 
disclosed by the references cited and the objections made. Applicant must show how 
the amendments avoid such references and objections. See 37 CFR 1.111 (c). 

36. Inquiries concerning this communication or earlier communications from the 
examiner should be directed to Thomas M. Szymanski who can be reached at (571) 

272- 8574. The examiner's normal working schedule is between the hours 8:00am - 
4:30pm (EST), Monday - Friday. 

37. If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Jacques Louis-Jacques, can be reached at (571) 272-6962. The fax phone 
number for the organization where this application or proceeding is assigned is 571- 

273- 8300. 

38. Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 
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